In my website I'm using an ajax call to get some information from the backend. Even if I'm using SSL someone can intercept the call and replace the real response with a fake one.
Is there a way to be ...

The django docs tell us that our AJAX scripts should acquire the token from the designated cookie as in get_cookie('_csrf_token'). Can I rather print it to the HTML source, so that it's available to ...

I'm learning about web security mechanisms. I have developed the following system
in PHP and JavaScript:
assuming that I have a page named: messages.php which is a real-time chat system.
first when ...

I am writing a User Management system that has to include a change of password utility. We don't front end hash passwords (hopefully we will soon). As a result passwords are passed over https in the ...

What I know about CSRF is that a malicious website tricks a normal user into issuing a request to a trusted website using a form.
I understand that is possible because we can post forms to different ...

first post on sec so go easy.
I'm developing a REST application using the Spring Framework, as as part of the requirements, we have to secure the different functions of the system to different user ...

I developed a web application in single-page application (SPA) architecture using Ext JS as client interface, but I have a trouble defining the right way of securing it with AJAX queries. How could I ...

I'm reviewing a website a friend developed, and was looking for general errors and concerns. In reviewing I noticed he is very heavy on ajax calls using JSON to a RESTful API that he maintains on a ...

I've been trying to see how to properly protect important content that's passed in ajax calls with java script. Considering JavaScript can be viewed at any point, it is inevitable that some of your ...

From two different applications, I was able to send cross-orgin requests. Though the browser returns a "cross origin" error my server is still receiving and executing the request. For example, from a ...

I totally understand the basis of origin policy and the reasoning why all modern browsers have put this policy into place.
My question I guess is, do older browsers support this, and if they don't, ...

I need to sync with my server with the client certificate abc.pfx which is generated by the server using Ajax. How do I send my certificate with Ajax object. Can I do this certificate authentication ...

I am working on an ASP.NET MVC web application, which fetches its data from an API in the back. So authentication is currently done via ASP.NET Forms Authentication, which means the client sends email ...

Is there any tool to (automatically) find all backend JavaScript entrypoints within a site?
I have to check a site for vulnerabilities in the backend code that validates AJAX parameters and I would ...

Ours is a Ajax heavy application with concurrent Ajax requests. Generating unique tokens with each request or expire and creation of new tokens after a certain interval could get tricky with multiple ...

Say I've got that web application that has a CSRF protection according to the Synchronizer Token Pattern. The server expects a valid CSRF token in each POST request when the user is authenticated. Now ...

Without going into too much details I have a site which is 100% Ajax. All requests to the site (both GET and POST) are done via Ajax. Now I have to implement CSRF protection, and all the solutions I ...

I'm using anti-CSRF tokens on all my forms to prevent CSRF attacks. Also, the tokens are being saved in the $_COOKIE variable to validate against the value I get from the form. I'm resetting the token ...

I intend to build a front end site entirely in javascript (NodeJS) and i would like to do ajax calls to a REST WS which is on another domain on client side.
I intend to use oauth2 and SSL to secure ...

It was suggested over at stackoverflow that I try my question here. This is it verbatim:
So, it's impossible to do AJAX requests securely without using SSL. I get it. You can either view-source the ...